MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 bf7a956dd59e896c36470f38328b0a68da5f7f8a0d42d835db501324e1daec58. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


SnakeKeylogger


Vendor detections: 10


Intelligence 10 IOCs YARA 4 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: bf7a956dd59e896c36470f38328b0a68da5f7f8a0d42d835db501324e1daec58
SHA3-384 hash: 5978e5365a76a5c3def114160b63f77063aef3a0a55276b22988dfffdbb8e70791d45cec56f9b6c0324eed2181ccfd16
SHA1 hash: a1eb2e8f4b7b38f9e882ccfefb88af414ad9bb9e
MD5 hash: cea340d0902311318ae4ee12a99ec495
humanhash: moon-nitrogen-spring-diet
File name:Invoice Number T6077635.pdf.exe
Download: download sample
Signature SnakeKeylogger
Create hunting rule
File size:500'224 bytes
First seen:2021-02-07 07:21:04 UTC
Last seen:2021-02-07 09:20:51 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'653 x AgentTesla, 19'464 x Formbook, 12'205 x SnakeKeylogger)
ssdeep 6144:cSDMpra6LbetEPRXUG1wdpWL2Ez+WtTLpzkbvr:ep1GQRR1JzttTO
Threatray 36 similar samples on MalwareBazaar
TLSH 68B47D071D5BF337D5DFE3F28A074FB68112E8A8D0AEBE8B17DD4BD105A191A402692D
Reporter abuse_ch
Tags:exe SnakeKeylogger


Avatar
abuse_ch
Malspam distributing unidentified malware:

HELO: hosted-by.rootlayer.net
Sending IP: 45.137.22.107
From: opteam@neuron.ae
Subject: Request Invoice
Attachment: Invoice Number T6077635.pdf.gz (contains "Invoice Number T6077635.pdf.exe")

Intelligence

File Origin
# of uploads :
2
# of downloads :
205
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
Invoice Number T6077635.pdf.exe
Verdict:
Malicious activity
Analysis date:
2021-02-07 07:24:34 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/7b65b567-0b3a-4179-917f-c5d2ce999730

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
Snake
Create hunting rule
Link:
https://www.capesandbox.com/analysis/115945/
Detection(s):
SecuriteInfo.com.Trojan.GenericKD.36310601.9382.10013.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
Launching a process
DNS request
Sending an HTTP GET request
Sending a custom TCP request
Reading critical registry keys
Sending a UDP request
Creating a file
Unauthorized injection to a system process
Enabling autorun by creating a file
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Result
Threat name:
Snake Keylogger
Create hunting rule
Detection:
malicious
Classification:
troj.adwa.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/601200
Signature
Allocates memory in foreign processes
Antivirus / Scanner detection for submitted sample
Antivirus detection for dropped file
Binary contains a suspicious time stamp
Bypasses PowerShell execution policy
Drops PE files to the startup folder
Initial sample is a PE file and has a suspicious name
Injects a PE file into a foreign processes
Machine Learning detection for dropped file
Machine Learning detection for sample
May check the online IP address of the machine
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Powershell drops PE file
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Mail credentials (via file access)
Uses an obfuscated file name to hide its real file extension (double extension)
Writes to foreign memory regions
Yara detected Snake Keylogger
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 349619 Sample: Invoice Number T6077635.pdf.exe Startdate: 07/02/2021 Architecture: WINDOWS Score: 100 35 cdn.onenote.net 2->35 45 Antivirus detection for dropped file 2->45 47 Antivirus / Scanner detection for submitted sample 2->47 49 Multi AV Scanner detection for dropped file 2->49 51 9 other signatures 2->51 8 Invoice Number T6077635.pdf.exe 3 2->8         started        12 I$s#$lT3ssl.exe 3 2->12         started        signatures3 process4 file5 29 C:\...\Invoice Number T6077635.pdf.exe.log, ASCII 8->29 dropped 53 Writes to foreign memory regions 8->53 55 Injects a PE file into a foreign processes 8->55 14 powershell.exe 14 8->14         started        18 InstallUtil.exe 15 2 8->18         started        57 Allocates memory in foreign processes 12->57 21 InstallUtil.exe 2 12->21         started        23 powershell.exe 17 12->23         started        signatures6 process7 dnsIp8 31 C:\Users\user\AppData\...\I$s#$lT3ssl.exe, PE32 14->31 dropped 33 C:\Users\...\I$s#$lT3ssl.exe:Zone.Identifier, ASCII 14->33 dropped 59 Drops PE files to the startup folder 14->59 61 Powershell drops PE file 14->61 25 conhost.exe 14->25         started        37 checkip.dyndns.org 18->37 39 checkip.dyndns.com 131.186.161.70, 49721, 49722, 49742 DYNDNSUS United States 18->39 41 freegeoip.app 172.67.188.154, 443, 49723, 49751 CLOUDFLARENETUS United States 18->41 63 Tries to steal Mail credentials (via file access) 18->63 65 Tries to harvest and steal browser information (history, passwords, etc) 18->65 43 checkip.dyndns.org 21->43 27 conhost.exe 23->27         started        file9 signatures10 process11
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/bf7a956dd59e896c36470f38328b0a68da5f7f8a0d42d835db501324e1daec58/
Threat name:
ByteCode-MSIL.Trojan.SnakeKeylogger
Create hunting rule
Status:
Malicious
First seen:
2021-02-07 01:24:12 UTC
AV detection:
25 of 29 (86.21%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=x55jk3ovt2ewynshb44dfcykndnf674kbvbnqno3kajsjyo25rma._file
Verdict:
suspicious
Similar samples:
27645f1d148b659a43b23aff406fd0a354c0f4c5ad89eadc475cc5b58244c83b
SnakeKeylogger
46147dd9c691040775f75895df40c6859409a203990a6a96a725e3625c2ddf63
SnakeKeylogger
47ffaf572157824fb5a40a2706bd72f3e0e43090c621c9d676031fd80bb35fe5
SnakeKeylogger
4b6f46c5f5f309d1e5de63307f5e7eed976a56e864f854e53afa6bb1dc671faf
SnakeKeylogger
4bfb4ba69396cd0e53407019e30928d4be9257e3b51ed78587123f9a22d23ec5
SnakeKeylogger
55b85c50614dc59af0cca5ed20dc7713f784b70b16f65fa01163e48ec006be57
SnakeKeylogger
6d3ffb896e637867433266d733f0a343f51e2bf02c0ee58cfc45967e650966ac
SnakeKeylogger
a821247cfbed9095b7e7686eeca6572b9e506e080861c11c25be542f163a2500
SnakeKeylogger
a8aad152f516add6a277e2634baa324b105a90c3b02935aa2fa11ea4f0c4667e
SnakeKeylogger
ee049ddb16bce4b0a37cce581802976cb696243207172c8461ba27d85948fd5e
SnakeKeylogger
+ 26 additional samples on MalwareBazaar
Result
Malware family:
snakekeylogger
Create hunting rule
Score:
  10/10
Tags:
family:snakekeylogger keylogger stealer
Link:
https://tria.ge/reports/210207-g5a4n1vbba/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Suspicious use of SetThreadContext
Looks up external IP address via web service
Drops startup file
Snake Keylogger
Snake Keylogger Payload
Unpacked files
SH256 hash:
97024f17003dd3d31dab64c4d1b8251e50d428644eb59ed3692ad79ce42019cf
MD5 hash:
8cd28be4bd9a1404c6d3600db32b3ed1
SHA1 hash:
fb90b0ca51118e771390d58b19d0a404ee14cfbc
Link:
https://www.unpac.me/results/1b163daa-3c45-4d05-91bd-2d5eb6a137ec/
SH256 hash:
7c617cc8c9c7acfa8084682cfd0046752fb978b8cc8b1c2d686b751db6f250d3
MD5 hash:
37c31475b3d9561cb632c424717d02af
SHA1 hash:
08b0be5ecfa496acb02fc7d98f2af4621c6a8f2b
Link:
https://www.unpac.me/results/1b163daa-3c45-4d05-91bd-2d5eb6a137ec/
SH256 hash:
15059f872f603765ec3e26a3ea24ba99988b4613406b21efabfdc2110f3cdfe7
MD5 hash:
ed112022834aedbd69790666b589c6f7
SHA1 hash:
075232392f3f304ce9e2b58949b61dad6db5b1a1
Link:
https://www.unpac.me/results/1b163daa-3c45-4d05-91bd-2d5eb6a137ec/
SH256 hash:
bf7a956dd59e896c36470f38328b0a68da5f7f8a0d42d835db501324e1daec58
MD5 hash:
cea340d0902311318ae4ee12a99ec495
SHA1 hash:
a1eb2e8f4b7b38f9e882ccfefb88af414ad9bb9e
Link:
https://www.unpac.me/results/1b163daa-3c45-4d05-91bd-2d5eb6a137ec/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/bf7a956dd59e896c36470f38328b0a68da5f7f8a0d42d835db501324e1daec58

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:INDICATOR_EXE_Packed_ConfuserExMod_BedsProtector
Create hunting rule
Author:ditekSHen
Description:Detects executables packed with ConfuserEx Mod Beds Protector
Rule name:INDICATOR_SUSPICIOUS_Stomped_PECompilation_Timestamp_InTheFu
Create hunting rule
Author:ditekSHen
Description:Detect executables with stomped PE compilation timestamp that is greater than local current time
Rule name:Keylog_bin_mem
Create hunting rule
Author:James_inthe_box
Description:Contains Keylog
Rule name:MALWARE_Win_SnakeKeylogger
Create hunting rule
Author:ditekSHen
Description:Detects Snake Keylogger

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

SnakeKeylogger

gz c02b86f47011d7fe6e18adc1a6d105c439c9a476c217d7e625690affef2edf35

SnakeKeylogger

Executable exe bf7a956dd59e896c36470f38328b0a68da5f7f8a0d42d835db501324e1daec58

(this sample)

  
Dropped by
MD5 e77c0387f0f0f1ab393c5c43e22220c5
  
Delivery method
Distributed via e-mail attachment
Cape
Cape
https://www.capesandbox.com/analysis/115945/
  
Dropped by
SHA256 c02b86f47011d7fe6e18adc1a6d105c439c9a476c217d7e625690affef2edf35

Comments